Data privacy continues to be one of the most important topics of 2021 and will be for the foreseeable future. GDPR has now been in force for over 3 years, CCPA has been in effect since January 2020, and CPRA, an amendment to CCPA, will take effect on January 1, 2023. More state laws are on the way, and the likelihood of a U.S. federal data privacy law grows with every passing week. All of these regulations make sound information practices mandatory.
With merger and acquisition (M&A) activity picking up, acquirers are keen to make sure they’re not buying a liability. A target’s data can be a valuable asset that increases the company’s potential worth to the acquirer; conversely, irresponsible practices and poorly managed data architectures can be a huge liability. In a recent survey by Merrill Corporation among M&A professionals, 55 percent of respondents cited a target company’s compliance and data protection practices as a primary reason a deal failed to complete. If you want more proof, take a look at the proposed $123 million GDPR fine against Marriott International because of a data breach at Starwood Hotels before Marriott even acquired them.
While individual data privacy laws may differ on details, several common themes have emerged, which facilitates the task of evaluating potential M&A targets. When considering a merger or acquisition, make sure that your due diligence process encompasses the following key areas:
1. Applicability of data privacy laws
Make sure you understand which data privacy laws affect the target company and how they apply. For example, the GDPR requirement to designate a data protection officer (DPO) applies to organizations that are public companies, that process personal data on a large scale, and/or that process special categories of personal data. Whether this requirement applies to a potential target depends on the specifics of the company.
Another important consideration is whether the target has the flexibility to align with future data privacy laws. When GDPR was passed, some companies handled compliance by segregating their European data subjects and implementing data privacy measures only for those individuals. When CCPA was enforced, many of those companies had to start over in protecting a new population of data subjects. Companies who see the big picture follow a “data privacy by design and default” approach that not only satisfies current requirements, but also makes it easy for them to adapt in a rapidly changing data privacy environment.
2. Data policies and procedures
Evaluating a target’s policies and procedures may be one of the easier facets of data privacy due diligence, in that these areas usually involve documented information. When reviewing procedures, make sure the target has documented processes for accommodating data subject rights under applicable laws, such as the right to access and the right to erasure of one’s personal data, and that all appropriate personnel have been trained in these procedures.
3. Data systems, architecture, and flow
It’s one thing to write data privacy procedures, but having a data architecture that allows you to execute is often another matter. Does the target company know what data they have, where it’s located, who has access to it, and what they do with it … and if a data subject requests access to or erasure of her data, can they fulfill her request promptly? Additional considerations include:
- Whether the target has “black box” data stores that may go unreviewed for years at a time
- How they document consent/refusal to allow processing of personal data and how consent tracking is used to ensure the data subject’s request is honored
- Data proliferation lifecycles, both within and outside of the company
The business world is always changing, and so is the data privacy environment. Even if the target company may have been considered “compliant” when the applicable laws first took effect, lack of adequate governance can cause even the most diligent efforts to become moot over time. Ask about their data governance practices and how they monitor for “triggers” that can impact their compliance status.
We’ve covered just a few of the areas to consider in evaluating the data privacy risks of a potential target as part of your M&A due diligence. There are many others (e.g., security measures, third-party contracts, etc.) and the more you discover about your target, the more accurate your picture of their data privacy risk level.
While some may have seen GDPR or CCPA as a finish line, we now understand that it was a milestone, the first in a wave of data privacy laws that will eventually impact almost every organization. In approaching mergers and acquisitions, taking a target’s data privacy practices into consideration is no longer optional — both for compliance purposes and for the integrity of the post-merger organization and the trust that customers and partners are willing to place in it. By incorporating data privacy considerations — particularly those concerning data management — as part of your M&A due diligence, you can paint a more accurate picture of the target company and improve your chances for a successful deal.
Like what you see?
General Manager of Data Privacy Jill Reber is a nationally recognized expert on data privacy—particularly GDPR, CCPA, CPRA, and other data laws. She has spoken at events sponsored by American Banker, International In-House Counsel Journal, the American Bar Association, TDWI, and other organizations. She also serves on the advisory board of the Association for Data and Cyber Governance.
Evan Alkhas is a Strategy Manager at Logic20/20 with extensive knowledge in strategic development, operating models, business process optimization, and new product innovation.